Businesses' ever-increasing reliance on information and the computing systems that produce, process, distribute, and maintain such information in its various forms, puts great demands on techniques for thoroughly and efficiently securing that information. Because business organizations can produce and retain large amounts and varieties of information (and normally do so, in fact), the need for securing such information will only increase. These issues are especially important with regard to information kept by businesses regarding their customers.
As consumer awareness of the importance of and need for data privacy increases with the inevitable increases in data-sharing that such reliance engenders, the importance of customer data privacy management has increased, particularly in view of the flurry of federal, state and international laws that is pushing such issues to the top of many businesses agendas. In the financial services industry, for example, companies are making tremendous efforts to comply with privacy laws and to protect their customers' privacy rights. The implementation of privacy best practices within the complex process and information technology (IT) environment of financial institutions often requires team collaboration among the legal, office of privacy, operations, businesses, and technology owners. The course to owning a homegrown privacy solution is costly and such a solution is frequently not scalable when business and IT complexity increases. Many companies opt to shut down cross-marketing activities because such companies have not gone through or updated the compliance processes required to share customer data or solicit product interests. The inability to capitalize on their existing customer relationship management (CRM) and marketing campaign investments, in order to derive customer insight, is a profound problem for businesses lacking an adequate solution to manage privacy compliance. However, good privacy practice is not only important to meeting the letter of the law, but has a number of benefits for businesses willing to implement sound policies and procedures. Various polls shows consumers tend to buy more frequently and in higher volumes from companies they believe to have sound privacy practices. Companies can view customers' privacy needs as an opportunity to articulate both company's established privacy practice and the value from permission-based sharing to the consumer.
Entities wishing to address these needs must contend with a diverse array of privacy regulations. The following are examples of privacy regulations and policy components that drive the need for a privacy management solution. One such set of privacy regulations is the Fair Credit Reporting Act (FCRA), which was the first federal privacy law. The FCRA was set forth in Consumer Credit Reporting Reform Act of 1996 and is still in effect today. In December 2003, the Fair and Accurate Transaction Act (FACTA) amended the FCRA to include certain additional privacy provisions (effective dates vary). The FCRA applies to the disclosure of “consumer reports,” which contains information regarding a consumer's credit worthiness/standing/capacity, such as credit scores, income, assets, and the like. The FCRA prohibits non-consumer reporting agencies from sharing this type of personal information with non-affiliated third parties. The FCRA makes a distinction between traditional consumer report information and transaction/experience information that may bear on a consumer's credit worthiness/standing/capacity (i.e. slow to pay). The FCRA prohibits the sharing of traditional consumer report information with affiliates unless the consumer is first given a notice and opportunity to opt-out of such sharing and the consumer does not opt out, though an entity may share transaction/experience information freely with affiliates. Under FACTA, there is a prohibition on an affiliate's use of traditional consumer report and transaction/experience information (“eligibility information”) unless the consumer is first given a notice and opportunity to opt of such use and the consumer does not opt. For willful violations, the law carries up to $1,000-$2,500 fine per violation but not less than $100 per violation and, in some cases, attorney's fees; for negligent noncompliance, the law provides actual damages, court costs, and attorney's fees.
Another set of privacy regulations is the Gramm-Leach-Bliley Act (GLBA). The GLBA is a privacy law that was effective November 1999 and provides for mandatory compliance with the FTC Privacy Regulations as of Jul. 1, 2001. The GLBA applies to “financial institutions,” which are defined as companies that offer products or services to individuals, such as loans and leases, financial or investment advice, or insurance. The GLBA governs the use and disclosure of nonpublic personal information (NPI; personally identifiable financial information). The GLBA makes a distinction between “consumers” and “customers”, as defined. The GLBA requires financial institutions to provide a Privacy Policy Notice describing certain aspects of their privacy policies and information-sharing practices to all new customers at the inception of the relationship and annually thereafter until the relationship is terminated. If the company's sharing practices change, a company's Privacy Policy Notice must also change and the revised notice and a reasonable opportunity to opt out, if applicable, must be provided to the customer. The GLBA requires financial institutions to provide a Privacy Policy Notice describing certain aspects of their privacy policies and information-sharing practices to all consumers before the institution discloses any NPI about the consumer to any nonaffiliated third party outside the exceptions of the law. The GLBA allows both consumers and customers have Opt Out Rights to limit some—but not all—sharing of their personally identifiable financial information (PIFI) with non-affiliated third parties. The law carries a fine not to exceed $11,000 per violation and injunctive relief.
The GLBA “Safeguard Law” became effective November 1999, and compliance with the FTC Safeguards Regulations became mandatory as of May 23, 2003. This law also applies to “financial institutions”—companies that offer products or services to individuals, like loans and leases, financial or investment advice, or insurance. The law governs the handling of customer NPI. The law requires financial institutions to develop and implement a comprehensive written information security program that contains administrative, technical, and physical safeguards to protect NPI. Again, the law carries a fine not to exceed $11,000 per violation and injunctive relief.
Such laws also exist at the state level. An example of such a law is the California Financial Information Privacy Act (CFIPA; also known as CA SB 1), which became effective Jul. 1, 2004. Prior to sharing any nonpublic personal information with an affiliate, CFIPA requires that financial institutions provide California-based residents with a special disclosure and allow a 45-day initial waiting period before sharing occurs in order to provide a customer with an opportunity to exercise his/her opt out right. Certain exceptions apply. A financial institution must implement the consumer's opt out within 45 days of receipt. There is a safe harbor disclosure form. Before sharing nonpublic personal information with a nonaffiliated third party, CFIPA requires financial institutions to obtain a consumer's affirmative written consent (opt-in) on a special disclosure form to engage in the sharing. Certain exceptions also apply here. The law carries a fine not to exceed $2,500 per violation with a $500,000 cap. However if a financial institution knowingly and willfully violates CFIPA there is no cap. If a violation results in identity theft, civil penalties will be doubled.
Such regulations also take the form of simple prohibitions. For example, the National Do Not Call Registry (NDNCR) became effective October 2003. The NDNCR applies to all telemarketers, does not include political organizations, charities, telephone surveyors, or companies with which consumers have an existing business relationship, while a similar restrictions (the Federal Trade Commission (FTC) Telemarketing Sales Rule (TSR)) extends to interstate telemarketing activity. The Federal Communications Commission (FCC) Telephone Consumer Protection Act (TCPA) also regulates telemarketing and its jurisdiction regulates both interstate and intrastate telemarketing activity. The TCPA may preempt certain state telemarketing laws. In fact, the FTC and the FCC both utilize the National Registry. With regard to such regulations at the state level, it will be noted that fifteen states have shared data with the national registry before Jun. 26, 2003 and some states have their own state do not call registry. Further, some states statutorily designate the national registry as their own state registry. Telemarketers and sellers were initially required by the FTC to search the registry at least every three months, and beginning Jan. 31, 2005, once every 31 days. These telemarketers and sellers must drop the phone numbers registered from their call lists. Customers on the registry can file a complaint online or by calling and violators of the FTC TSR could be fined up to $11,000 per incident, plus state penalty where applicable. There is a “safe harbor” for inadvertent violations, however.
Another set of privacy-centric regulations is the USA Patriot Act, and Section 326 thereof, in particular. The Patriot Act requires the Secretary of Treasury to prescribe regulations for financial institutions to implement procedure to 1) verify the identity of any person opening an account; 2) maintain records of the information used to verify a person's identity, including name, address, and other identifying information; and 3) consulting lists of known or suspected terrorists organizations provided to the financial institution by any government agency to determine whether a person seeking to open an account appears on any such list.
Office of Foreign Asset Control (OFAC) Economic Sanction Rules (ESRs) also address privacy issues. OFAC administers and enforces economic sanctions programs primarily against countries and groups of individuals, such as terrorists and narcotics traffickers. OFAC ESRs prohibit “US persons” from doing business with Specially Designated Nationals (SDNs). Entities must check the SDN List prior to engaging in business with an individual. If the individual is on the list, the entity must determine if it is a true hit. If so, certain blocking, rejecting and reporting requirements apply. Awareness of OFAC Sanction Rules has increased since the enactment of the USA Patriot Act, but the sanctions regime has been in place since WWII.
Other laws also exist that implicate privacy issues, and place requirements on business entities that such entities must take into consideration in operating their businesses. For example, under California law, businesses are no longer able to post or publicly display Social Security numbers, print the numbers on identification cards or badges, require people to transmit the numbers over the Internet unless the connection is secure or encrypted, require people to log onto a World Wide Web site using a Social Security number without a password or print the numbers on materials mailed to customers unless required by law or the document is a form or application. Effective Jul. 1, 2006, Illinois enacted a similar law. Another example are Security Breach Laws. Under California law, those who do business in California and that own or license computerized data that includes personal information, as defined, must disclose any breach of the security of the system following discovery or notification of the breach in the security to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Several other states are following suit.
As will be appreciated, following such a wide variety of disparate laws can present a multitude of issues and obstacles for a business. In response to these demands, many businesses have attempted to develop proprietary privacy solutions to accelerate their compliance with privacy regulations, particularly when enforcement tightens to protect consumer privacy data in the past. However, as can easily be appreciated, these homegrown privacy efforts have historically failed to address the mandates of the aforementioned rules and regulations, as well as others. As a result of such failures, businesses face increased exposure to the inadvertent violation of such rules and regulations, and the penalties that accompany such infractions. Moreover, because the systems are not only inadequate, but costly to update, businesses face ever-increasing costs in an attempt to maintain such systems. Further still, the privacy compliance process is long and resource-consuming for both the business and its IT group. The following provides a short list of examples of the issues such proprietary systems encounter, which include:                1) Lack of a central system with flexible customer information management infrastructure to store and publish unique, correct and complete customer's personal data, opt-in/out sharing consents, solicitation preferences and the like. Manual steps are often required to generate multiple lists, which must then be integrated, in order to obtain customers' privacy statuses.        2) Costly IT projects are required to roll out new privacy policies and processes across an entity's systems. These projects involve significant resource investments and typically involve some variation of the following steps:                    a. General Counsel interprets privacy laws and creates consumer privacy policies. Note that companies evaluate the privacy laws with varying interpretation approaches—conservative, moderate and liberal interpretation and with different business models.            b. A core team including legal, office of privacy, business operations, corporate marketing, IT and/or business personnel is formed to assess the impact of the new privacy policies and sets forth the plan to roll out the requirements.            c. Privacy officers and/or business analysts create business requirements based on the new privacy policies.            d. IT designers create design specifications to comply with business requirements.            e. IT programmers write and test the code per the design specifications.                        3) Inability to react/react with sufficient swiftness to changes in privacy policy, particularly in implementing such changes quickly and consistently across the company. This is at least due to the need to roll out such changes across a substantial number of the business' systems.        4) The inordinate effort required to effect changes to proprietary privacy database(s) and application(s).        
Therefore, it is desirable to provide a mechanism and system that efficiently maintains privacy information, and addresses the foregoing issues.
The use of the same reference symbols in different drawings indicates similar or identical items.